Problem with EAP/TLS and XP SP2
Alan DeKok
aland at ox.org
Sat Nov 5 16:31:27 CET 2005
Hal Pomeranz <hal at deer-run.com> wrote:
> I will note however that if I try to set:
>
> check_cert_cn = %{User-Name}
>
> in the "tls" section of eap.conf, then I am unable to connect to the
> network with EAP/TLS.
See debug mode for why.
> I don't fully understand from the docs what
> this parameter is doing exactly. Is this supposed to work? Is there
> some configuration (perhaps in my users file) that I'm missing? What
> is the impact of NOT setting this parameter?
The issue is that the User-Name attribute may be different than the
CN in the certificate. i.e. I steal your certificate and use it.
This check tries to ensure that the person using the certificate is
the one who's supposed to be using it.
The impact of not setting it is usually minor.
Alan DeKok.
More information about the Freeradius-Users
mailing list